How to use Mod Security & ClamAV with Litespeed 4.0

PLEASE REMEMBER TO RATE THIS THREAD SO IT WILL GAIN STICKY STATUS AND REMAIN A CONSTANT THREAD OF ASSISTANCE. THANK YOU.

I believe this post will help the greater LSWS community of users. Over and over I see many people asking the same questions, and multiple duplicates throughout the forum. For this reason I am compiling those queries into this thread in the hopes that a few of you Subject Matter Experts may help us.

FIRST: PEOPLE WISH TO KNOW HOW TO FULLY INTEGRATE MOD_SECURITY 2.5.X INTO LSWS WITH LOGGING THAT WORKS.

I have added the following line into httpd.conf, which is used by LSWS:

Code:

Include "/usr/local/apache/conf/modsec2.conf"

Having already built mod_security within the Easy Apache build prior to building matching php in LSWS and then switching to LSWS; it has come with the default mod_security rules.

You will see from the two illustrations below that mod security is installed and integrated with CSF, however, when you click to view the log, nothing is showed.

How can this be fixed?

Here are screenshots of the LSWS Admin Console for logging and request filter. Please advise if anything needs to be set there to properly incorporate better logging and/or mod_security integration:

::::: Now on to the final topic :::::

I have ClamAV included, however I do not believe it has been properly integrated to process all files received or perhaps uploaded through ftp -> through -> the mod_security rules, and logged. To make a long story short. Let's say I have a few erroneous shell scripts. I can presently upload them via ftp to one of my sites. I do not want anyone to be allowed to do this, as my computer antivirus has to be shut off just to download them, however my server allows them to be uploaded, which no one wants. Here are some screenshots:

FTP SHELL UPLOADED (THIS IS A SAFE MODE BYPASS SHELL)

HERE IS THE RESPONSE OF THE SHELL BEING STOPPED DUE TO PHP FUNCTIONS BEING DISABLED, BUT I WOULD LIKE THIS TO BE STOPPED PRIOR TO BEING UPLOADED, AND LOGGED IN MOD_SECURITY, CAUGHT BY CLAMAV, AND LOGGED ALSO FOR THAT ADDED PROTECTION, AS WELL AS BEING USEFUL TO LEGALLY PROSECUTE THOSE WHOM ARE ATTEMPTING TO CRACK MY SERVER.

For those of you whom do not have a proficient list of php functions to disable in "usr/local/lib/php.ini" - build matching php in lsws - or add to "usr/local/lsws/php/php.ini" ----- I have provided them here:

another good one to add is "ini_set", however I am using a constantly updating shoutcast radio script, so I do not have that in my list. If you don't have such a need, simply add ----> ,ini_set to the list.

In closing I am hoping some of you Master System Admins can help us less knowledgeable individuals secure our servers by providing some helpful responses to my requests above.

First, please upgrade to 4.0.3,Ok I have successfully upgraded to 4.0.3 with chRoot enabled. No other settings have been changed. They all migrated to the new version.

Second, add a testing mod_security rule,I do not know how to do this. That's what my inquiry above was about please.

third, try to hit the testing rule with a crafted requestI don't exactly know how to do this either, and will require assistance. What I have done is downloaded c100.php. I had to turn off my computer antivirus to even download it; however, I have uploaded it to a site on my server and I have successfully navigated the entire directory by accessing that file. This I do not want to happen. I don't even want a user to be allowed to upload these erroneous scripts.

fourth, checklogs/modsec_audit.logI am going to send you a site pm with my login and pw to root on my machine. If you can find time to review the above information and provide a solution understandable at my novice level, I truly do believe this will help everyone.